Cyber-Threat Report: Americans Attacking Americans? Maybe

The big eye-popper from the latest Solutionary Global Threat Intelligence Report (GTIR), which provides insight and analysis including the cost of cyber threats that enterprises, governments and mid-market organizations faced throughout 2012 and how to defend against them, are the numbers.

In data gleaned from real-world interactions with customers in 14 industries across the globe, managed security service provider (MSSP) Solutionary's Security Engineering Research Team (SERT) revealed that organizations are spending as much as $6,500 per hour to recover from DDoS attacks and up to 30 days to mitigate and recover from malware attacks, at a cost of just over $3,000 per day.

Rob Kraus, Research Director of Solutionary’s Security Engineering Research Team (SERT), told Security Bistro that much of the cost of these incidents went towards support personnel.

"During many of the DDoS attacks Solutionary SERT supported over the last year, 3-20 people may be involved in helping mitigate the attacks," he said. "This includes time spent on researching the attacks, defining the impact, countless hours on incident response bridges and obtaining support from third-party Subject Matter Experts."

Kraus noted that the more "efficient" the organization is at controlling these peripherals, the less expensive it becomes to handle the attack.

"Some of the costs can also be attributed to temporary DDoS mitigation service fees," he said. "In some cases, we have observed DDoS mitigation vendors charging an "Emergency DDoS Mitigation" solution which resulted in fees in excess of $30,000 for a single incident."

With DDoS attacks in particular, Kraus said that the battle doesn't end once the incident is over.

"Organizations will often conduct post-incident activities including addition of mitigating controls, team meetings and "hot wash" discussions about how to improve defensive capabilities and incident response plans," said Kraus. "These often happen over a series of weeks, until the organization is satisfied with the enhancements."

Of the DDoS attacks SERT investigated last year, they found that 75% targeted Secure Socket Layer (SSL) protected components of web applications. In addition to traditional network-layer attacks, recent DDoS attacks often focus on application layer components, most common being SSL. Detecting and blocking attacks in encrypted protocols primarily used for legitimate traffic can be more complex than responding to historical TCP/UDP-based DDoS attacks, according to the report.

Aside from cost, the Solutionary report also peeled back the curtain on how attackers target their victims. It turns out, U.S. IP addresses are the largest source of attacks against U.S. organizations, with 83% of all attacks against U.S. organizations originating from a U.S. IP address space, and the absolute quantity of these attacks vastly out numbers attacks seen from any other country, according to the report.

"Attackers are smart. We have observed that localization of the attack source has been an effective tact for attackers to take advantage of," he said. "For instance, if an attacker can use compromised systems located in the United States to attack a target also located in the United States, it makes it harder for the victim to simply use techniques such as 'geo-blocking.' Since the United States is also the 'most connected' country in the world, it also makes sense for attackers to leverage the computing power we have available."

The most vulnerable industries, according to the report, are organizations in the financial and retail sector. Approximately 80 percent of attempts to infect organizations with malware are directed at financial (45 percent) and retail (35 percent) organizations. These attempts frequently arrive as targeted spam email, which attempts to coerce the recipient to execute an attachment or click on an infected link.

These types of breaches point to what Kraus thinks will be the biggest security concern in the coming year: the continued development of Exploit Kit capabilities and their ease of use and access.

"BlackHole Exploit kits made some major advances last year and we believe other exploit kits will be stepping up their game as well. We also predict that Java vulnerabilities will continue to plague system administrators and continue to be a challenge to face throughout the year," said Kraus.